On December 8, 2024, DataBreaches reported that Watsonville Community Hospital in California was continuing to respond to what they referred to as a cyberattack on November 29. No gang had claimed responsibility at that point, patients hadn’t been notified yet, and the hospital wasn’t stating whether the attack involved encryption of any files. Weeks later, and in a substitute notice posted on December 31, 2024, they noted that patients’ name, date of birth, Social Security number, passport number, and diagnosis information may have been present in files that had been accessed in a “recent data security event” that was still under investigation. The hospital did not confirm or deny whether this was a ransomware attack.
But even before the substitute notice was posted, threat actors known as Termite had added the hospital to its dark web leak site on December 11, 2024. Termite’s leak site was last updated on January 8, 2025, and their proof of claims included personnel data and patient data.
By March 21, 2025, there was still no public indication that the hospital had notified patients or HHS, and employees were reporting becoming victims of tax refund fraud. Email inquiries DataBreaches submitted to the hospital in March went unanwered, and the hospital did not issue any update to its substitute notice, even after Termite leaked what it claimed was the hospital’s data in July 2025.
Then on October 1, 2025, the “Sinobi” group added the hospital to their leak site, with a breach date of August 9, 2025. They claimed that they had encrypted files and had 13 GB of data.
Sinobi subsequently leaked the data. The data do not match the description of data in the Termite incident, and many of the files leaked by Sinobi are from March 2025, which was after the November 2024 incident.
Did Termite still have access to the hospital’s server after the November 2024 attack? Was “Sinobi” just a rebrand of “Termite” with the same data from Termite? Or was this a second breach? A search of the Termite data tranche for some of the files in the Sinobi tranche did not find the Sinobi files, suggesting that the Sinobi data is not just a subset of the Termite leak.
There is much we don’t know because there has been no notice from Watsonville Community Hospital on HHS’s public breach tool or the California Attorney General’s website, or any state attorney general’s site that publishes the notices it receives.
In December 2024, Watsonville’s substitute notice, indicated that they had filed reports:
We also reported this incident to the Federal Bureau of Investigation who is responsible for investigating these cyber events, and appropriate state and federal data privacy regulators. We remain committed to complying with all state and federal requirements and maintaining timely and transparent communication with our community as we learn more. If additional individuals are identified, they will promptly receive notice directly from us.
Yet they do not seem to have notifed the California Attorney General’s Office, even after all this time. And what federal privacy regulators did they notify? There is no listing on HHS’s public breach tool for incidents affecting more than 500 patients. Was this a smaller incident? Or was it a bigger incident that hasn’t been reported or posted by HHS?
[Note: The legal name of Watsonville Community Hospital is Pajaro Valley Health Care District Hospital Corporation. DataBreaches could find no notification to California or HHS under either name.]
So how many breaches did the hospital experience? How many patients were affected? How many employees were affected? How many employees reported becoming victims of fraud or identity theft?
The hospital did not respond to an inquiry submitted to them on October 2 and did not return a phone call this week when DataBreaches left a message asking whether there had been one incident or two and requesting more clarification and details.
Watsonville is a California entity, so DataBreaches emailed the CDPH to ask if Watsonville ever notified them of a breach or breaches in 2024 and 2025. No reply was immediately received, but this post will be updated if a reply is received.
This story was updated once we were able to acces the Termite data tranche and we compared the data in the Sinobi leak to the Termite leak. It now looks like these are separate data tranches, but Watsonville has neither confirmed that nor refuted it.
Update of October 16, 2025: On October 10, when DataBreaches published this post, it noted that Watsonville had not notified the California Attorney General’s Office about the November 2024 incident. Today, Watsonville submitted a copy of their notification letter to patients to the California Attorney General’s office. The letter to patients is dated October 15, 2025.